Several popular mobile password managers are inadvertently disclosing user credentials due to a vulnerability in the autofill functionality of Android apps.
The vulnerability, dubbed “AutoSpill,” can expose users' saved credentials in mobile password managers by bypassing Android's secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat. Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, Google's pre-installed engine that allows developers to display web content in the app without launching a web browser. , and an autocomplete function. When a request is generated, password managers can become “misguided” about where they should direct the user's login information and instead expose their credentials to the native fields of the underlying application, they said.
“Let's say you're trying to log in to your favorite music app on your mobile device and you use the 'log in through Google or Facebook' option. The music app will open a Google or Facebook login page within itself via WebView,” Gangwal told TechCrunch ahead of his Black Hat presentation on Wednesday.
“When the password manager is invoked to autofill credentials, it should ideally autofill only on the Google or Facebook page that has been loaded. But we discovered that the autocomplete operation could accidentally expose credentials to the base application.”
Gangwall notes that the ramifications of this vulnerability, particularly in a scenario where the base application is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to log in through another site, such as Google or Facebook, can automatically access sensitive information.”
Researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most applications were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were susceptible to its AutoSpill vulnerability.
Gangwal says it alerted Google and affected password managers about the flaw.
1Password CTO Pedro Canahuati told TechCrunch that the company has identified and is working on a solution for AutoSpill. “While the fix will further strengthen our security posture, 1Password's autofill feature has been designed to require the user to take explicit action,” Canahuati said. “The update will provide additional protection by preventing native fields from being populated with credentials that are only intended for the Android WebView.”
Keeper CTO Craig Lurey said in comments shared with TechCrunch that the company was notified about a possible vulnerability, but did not say whether it had made any fixes. “We requested a video from the investigator to demonstrate the reported problem. “Based on our analysis, we determined that the researcher had first installed a malicious application and subsequently accepted a message from Keeper to force the association of the malicious application to a Keeper password record,” Lurey said.
Keeper said it “puts in place safeguards to protect users against automatic credential filling in an untrusted app or on a site that was not explicitly authorized by the user,” and recommended that the researcher submit his report to Google.” since it is specifically related to Android.” platform.”
Google and Enpass did not respond to questions from TechCrunch. LastPass spokesperson Elizabeth Bassler had no comment by press time.
Gangwal tells TechCrunch that researchers are now exploring the possibility of an attacker exfiltrating application credentials to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
